I hope the other lesson was the good email verification hygiene of making the user take an affirmative action and click a "verify email" button rather then send it unsolicited.
You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.
How would adding an extra button change anything? Right now when they register we send a “verify email address” email. Adding an extra step of “click a button” makes no meaningful difference.
It took me a while to understand what GP was trying to say, but I suppose they're thinking of one of those sites where they let you create an account, will let you in and then nag you for a while about "verifying your email address" by clicking a link that will actually send you an email. An unsophisticated spambot won't probably care enough to click through that.
Not a solution.
Verification emails alone got a small web site I set up to be blacklisted within days. Most of the unwilling recipients presumably couldn't understand the language the verification email was written in and reported it as spam.
You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.